Re: [dmarc-ietf] Bridging the gap
Alessandro Vesely <vesely@tana.it> Wed, 15 June 2022 16:52 UTC
Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58D67C15AAC2 for <dmarc@ietfa.amsl.com>; Wed, 15 Jun 2022 09:52:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.003
X-Spam-Level:
X-Spam-Status: No, score=-4.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b=axcX3juW; dkim=pass (1152-bit key) header.d=tana.it header.b=A1zXn+12
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ogdJG_d-3JMq for <dmarc@ietfa.amsl.com>; Wed, 15 Jun 2022 09:52:00 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27B45C1594A8 for <dmarc@ietf.org>; Wed, 15 Jun 2022 09:51:57 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1655311911; bh=CetOOaDR7jrd/cb7qnqZRLnsuFc+NPiPc+1YnSc61mM=; h=Date:Subject:To:References:From:In-Reply-To; b=axcX3juWvzierQN/bFvDIh3heOjI0XcCHjsA+3N0vIp+ET1m3jsemyqicS/hNNww8 jw0OgS8mb48UYiiasqEAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1655311911; bh=CetOOaDR7jrd/cb7qnqZRLnsuFc+NPiPc+1YnSc61mM=; h=Date:To:References:From:In-Reply-To; b=A1zXn+12zt7l+kXz11+ppcqcb4iJ4l6qoIep1LQmZMfl0NaCLuV5J0akWu2b3FYz7 BsYxytKO9OshYWRGkba17XVsga4KZcsR913WXVn6aFmh4aSR1ggTyoYoflcTn+4STd Yj78AjdUhvW7yHU7lYHNDnfoP0PV3o5v4UK7+03zF1Fm0pKPEbhJgnWZ8o9eH
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0EF.0000000062AA0E27.00002162; Wed, 15 Jun 2022 18:51:51 +0200
Message-ID: <a62c53af-6909-eaec-2263-a36b049a5be0@tana.it>
Date: Wed, 15 Jun 2022 18:51:51 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: dmarc@ietf.org
References: <CAH48Zfya7iSO0xn5FeKd61eOouP0fnj07r7OD-VVD0Gwn5_Gkg@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CAH48Zfya7iSO0xn5FeKd61eOouP0fnj07r7OD-VVD0Gwn5_Gkg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Bo4I3q7twpnZUjZImsw4crwNYFQ>
Subject: Re: [dmarc-ietf] Bridging the gap
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2022 16:52:06 -0000
On Wed 15/Jun/2022 04:40:31 +0200 Douglas Foster wrote: > > The problem seems rooted in our different attitudes toward the PSL. If one > assumes that the Tree Walk must displace the PSL completely and quickly, then > it becomes necessary to “make do” with incomplete information about > organizational boundaries, even though this introduces unwanted risk to > evaluators. I believe that the assumption is unnecessary, because the Tree Walk > and the PSL can coexist without harm. We simply specify that the Tree Walk > algorithm MUST be used when organizational boundary information is known to be > complete and certain, as indicated by specific policy tags, while the PSL MAY > be used when boundary information is uncertain or incomplete. I think we found the few critical domains which need a flag. I agree we should monitor the publishing of those flags before publishing the RFC, and possibly also afterwards. At that point, the tree walk should be safe to use for all DMARC filters. Yet, not all DMARC filters will be upgraded overnight. Use of the PSL is going to persist for some time. Mail filters which use the PSL also for other reasons may continue to do so even after upgrading to the tree walk for DMARC purposes. They may also compare tree walk and PSL results. I think that implementing a standard always leaves some leeway to the programmer. As long as the correct result is the outcome of the tree walk, programmers are free to decide how to manage data. They are not forced to throw away PSL lookups. > The “Must-use-Tree-Walk” indicator provides the domain owner with a remedy to > correct PSL errors, as well as a strategy for avoiding them. The MUST > indicator also means that DMARCbis-compliant implementations MUST implement the > Tree Walk algorithm, ensuring that the new algorithm becomes deployed with > critical mass. I'd be skeptical about user defined “Must-use-Tree-Walk” indicators. The psd= flag (or whatever we'll call it when we'll ask the owners of critical domains to set it) is functional and should be monitored. Any additional flag, statically set and forgotten by the domain owner, would always be questionable. Best Ale --
- [dmarc-ietf] Bridging the gap Douglas Foster
- Re: [dmarc-ietf] Bridging the gap Alessandro Vesely
- Re: [dmarc-ietf] Bridging the gap John Levine
- Re: [dmarc-ietf] Bridging the gap Alessandro Vesely
- Re: [dmarc-ietf] Bridging the gap John R Levine
- Re: [dmarc-ietf] Bridging the gap Alessandro Vesely
- Re: [dmarc-ietf] Bridging the gap Scott Kitterman
- Re: [dmarc-ietf] Bridging the gap John R Levine
- Re: [dmarc-ietf] Bridging the gap Alessandro Vesely
- Re: [dmarc-ietf] Bridging the gap Scott Kitterman
- Re: [dmarc-ietf] Bridging the gap Murray S. Kucherawy
- Re: [dmarc-ietf] Bridging the gap Barry Leiba
- Re: [dmarc-ietf] Bridging the gap Dotzero
- Re: [dmarc-ietf] Bridging the gap Scott Kitterman
- Re: [dmarc-ietf] Bridging the gap John Levine